Windows 安装 ELK 栈(Elasticsearch、Kibana、Logstash、Filebeat)8.8.2 版本
参考
https://elasticstack.blog.csdn.net/article/details/99413578
https://elasticstack.blog.csdn.net/article/details/99433732
https://elasticstack.blog.csdn.net/article/details/99655350
https://elasticstack.blog.csdn.net/article/details/105973985
https://elasticstack.blog.csdn.net/article/details/105979677
https://codeleading.com/article/12106033759
官方文档:https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack.html
Elasticsearch
下载:https://www.elastic.co/cn/downloads/past-releases/elasticsearch-8-8-2
单节点
es 配置
https://codeleading.com/article/12106033759/
# elasticsearch.yml
http.port: 9200
discovery.type: single-node
http.host: 0.0.0.0
xpack.security.enabled: true
xpack.license.self_generated.type: basic
# jvm.options
-Dfile.encoding=GBK
# 启动
elasticsearch.bat
# 设置密码
elasticsearch-setup-passwords.bat interactivekibana 配置
server.publicBaseUrl: "http://localhost:5601/"
elasticsearch.hosts: ["http://localhost:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "123456"
i18n.locale: "zh-CN"单机集群
修改 elasticsearch.yml
其他节点修改 node.name 如:node-2、node-3、client,和 http.port 如:9202、9203、9200,其他配置相同。
cluster.name: DESKTOP-A9ORD1T
node.name: node-1
network.host: 0.0.0.0
http.port: 9201修改 jvm.options
# 设置中文
-Dfile.encoding=GBK删除 CLASSPATH 配置
删除环境变量中配置的 CLASSPATH,现在的高版本 JDK 已经不需要再配置 CLASSPATH 了。
启动
elasticsearch.bat成功启动会有如下输出:
需要记住 elastic密码、kibana注册token(30分钟过期)、节点注册token
测试
浏览器输入:https://localhost:9201/,输入账号密码。
修改密码(可选)
elasticsearch-reset-password.bat -u elastic其他节点加入集群
elasticsearch.bat --enrollment-token eyJ2ZXIiOiI4LjguMiIsImFkciI6WyIxNzIuMjEuMTEyLjE6OTIwMCJdLCJmZ3IiOiIxZDk1Y2IyOTRhZDljNGIxYzI2NmRhODU1NWVjZWI5ZGRmY2NmOWQzOGRjODEzMDA0Mjk2ODNkN2MxNDcyYjBkIiwia2V5IjoiMDZZRWNZa0JqOFRFMTkwb3htRDU6bGVZWnVwRVpTRmE5XzhIS2dFZzlRUSJ9查看集群信息
https://localhost:9201/_cat/nodestoken 过期后生成
# kibana
elasticsearch-create-enrollment-token.bat -s kibana
# elacticsearch 节点
elasticsearch-create-enrollment-token.bat -s node查看证书密码
# config/certs/http.p12
elasticsearch-keystore.bat show xpack.security.http.ssl.keystore.secure_password
# config/certs/transport.p12
elasticsearch-keystore.bat show xpack.security.transport.ssl.keystore.secure_password配置客户端节点
该节点的主要作用是连接到kibana,给es集群做负载均衡、集群监控,该节点对外开放。
ES8细分了节点角色,参考:https://blog.csdn.net/laoyang360/article/details/124762830。
修改 elasticsearch.yml:
cluster.name: DESKTOP-A9ORD1T
node.name: client
network.host: 0.0.0.0
http.port: 9203
node.roles: [ remote_cluster_client ]加入集群:
elasticsearch.bat --enrollment-token eyJ2ZXIiOiI4LjguMiIsImFkciI6WyIxNzIuMjEuMTEyLjE6OTIwMCJdLCJmZ3IiOiIxZDk1Y2IyOTRhZDljNGIxYzI2NmRhODU1NWVjZWI5ZGRmY2NmOWQzOGRjODEzMDA0Mjk2ODNkN2MxNDcyYjBkIiwia2V5IjoiMDZZRWNZa0JqOFRFMTkwb3htRDU6bGVZWnVwRVpTRmE5XzhIS2dFZzlRUSJ9注意
单机集群中部署成功后需要修改客户端节点和下面的 kibana 配置文件中的 es 地址为:127.0.0.1,否则电脑重启后节点IP可能会改变。
添加ik分词器
下载:https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v8.8.2/elasticsearch-analysis-ik-8.8.2.zip
将解压后的文件夹复制到es的plugins目录下,然后重启es。
D:\ELK\elasticsearch-8.8.2-node1\plugins\elasticsearch-analysis-ik-8.8.2如果插件没有与 Elasticsearch 一致的版本,下载最近的插件版本,然后在插件 plugin-descriptor.properties 文件中手动修改版本:
elasticsearch.version=8.8.2Kibana
下载:https://www.elastic.co/cn/downloads/past-releases/kibana-8-8-2
修改 kibana.yml
# 设置中文
i18n.locale: "zh-CN"启动
kibana.bat启动成功会有如下输出:
连接到elasticsearch
在es客户端节点执行:
elasticsearch-create-enrollment-token.bat -s kibana复制并粘贴生成的token。
登陆kibana
账号:elastic,密码:之前保存的密码。
集成geo坐标到地图
解决ELK地图可视化时无法识别location坐标(geo_point)及字段映射冲突问题:https://blog.csdn.net/zhangjunfun/article/details/119757544
logstash配置
配置logstash后应当暂时关闭数据输入,并删除配置之前正在使用的索引,然后重启logstash,或者等到第二天自动创建索引后才能正常使用,否则会提示geo字段无法识别。
grok {
match => { "message" => "%{IP:ip}" }
# 根据IP获取真实位置,如下解析clientip字段,结果输出到geoip字段
# ES8.x
geoip {
source => "[source][address]"
target => "geoip"
}
# ES8.X以下版本
#geoip {
# source => "clientip"
#}kibana配置
新建仪表盘,选择类型为:Maps,点击添加图层:文档,选择数据视图,点击添加并继续,然后可以添加一些自定义设置。
Logstash
下载:https://www.elastic.co/cn/downloads/past-releases/logstash-8-8-2
参考:https://blog.csdn.net/weixin_44303027/article/details/125349855
修改 logstash.yml
config.reload.automatic: true注意:stdin输入插件不支持自动重启。
新建 logstash.conf
在 logstash 根目录新建 logstash.conf 文件
input {
stdin{ }
}
output {
stdout {
codec => rubydebug
}
}启动
logstash.bat -f logstash.conf简单测试
控制台中输入:hello world
使用过滤器
官方文档:https://www.elastic.co/guide/en/logstash/current/filter-plugins.html
grok表达式:https://github.com/logstash-plugins/logstash-patterns-core/blob/main/patterns/ecs-v1/grok-patterns
修改 logstash.conf
input {
tcp {
port => 5045
}
}
filter {
# 通过正则表达式进行匹配,并把我们的输入的非结构化的数据变为一个结构化的数据
#grok {
# match => { "message" => "%{COMBINEDAPACHELOG}" }
#}
# 数据类型转换,如下将bytes字段转为integer类型
#mutate {
# convert => {
# "bytes" => "integer"
# }
#}
# 根据IP获取真实位置,如下解析clientip字段,结果输出到geoip字段
# ES8.x
#geoip {
# source => "[source][address]"
# target => "geoip"
#}
# ES8.X以下版本
#geoip {
# source => "clientip"
#}
# 格式化浏览器相关信息,如下解析agent字段,结果输出到useragent字段
#useragent {
# source => "agent"
# target => "useragent"
#}
# 日期格式化,如下将timestamp格式化
#date {
# match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
#}
}
output {
# 输出到控制台
stdout { }
# 输出到es
elasticsearch {
hosts => ["localhost:9200"]
user => "elastic"
password => "password"
ssl_certificate_verification => true
# es启动时生成的config/certs目录下的http.p12文件
truststore => "D:\ELK\logstash-8.8.2\config\certs\http.p12"
# http.p12文件的密码,使用 elasticsearch-keystore.bat show xpack.security.http.ssl.keystore.secure_password 命令查看
truststore_password => "dqG8DEKqSdSz9G0hvfKshA"
}
}grok表达式测试
在 kibana 左侧菜单栏,选择 Management → 开发工具 → Grok Debugger。
启用 keystore 来保护自己的密码
# 创建 keystore 文件
logstash-keystore.bat create
# ES_HOST, LS_USER 及 LS_PWD 都是你自己任意可以选取的名字。
# 添加es主机地址:https://localhost:9200
logstash-keystore.bat add ES_HOST
# 添加es用户
logstash-keystore.bat add LS_USER
# 添加es密码
logstash-keystore.bat add LS_PWD
# 查看已经创建的key
logstash-keystore.bat list在logstash.conf中使用
output {
stdout { }
elasticsearch {
hosts => ["${ES_HOST}"]
user => "${LS_USER}"
password => "${LS_PWD}"
}
}完整示例
input {
tcp {
mode => "server"
host => "0.0.0.0"
port => 5045
codec => json_lines
}
beats {
port => 5044
}
}
filter {
if [fields][springAppName]{
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:time} \[%{DATA:threadName}\] %{LOGLEVEL:level} %{DATA:class}:%{NUMBER:code_line} - %{GREEDYDATA:msg}" }
}
}
}
output {
# 输出到控制台
#stdout { }
# 输出到es
elasticsearch {
hosts => ["${ES_HOST}"]
index => "log-%{springAppName}-%{+YYYY.MM.dd}"
user => "${LS_USER}"
password => "${LS_PWD}"
ssl_certificate_verification => true
truststore => "D:\ELK\logstash-8.8.2\config\certs\http.p12"
truststore_password => "sL2RboJvQneP2spnb5JYag"
}
elasticsearch {
hosts => ["${ES_HOST}"]
manage_template => false
index => "log-%{[fields][springAppName]}-%{+YYYY.MM.dd}"
user => "${LS_USER}"
password => "${LS_PWD}"
ssl_certificate_verification => true
truststore => "D:\ELK\logstash-8.8.2\config\certs\http.p12"
truststore_password => "sL2RboJvQneP2spnb5JYag"
}
}JDBC 输入插件
参考:https://blog.csdn.net/w1014074794/article/details/125249780
以时间作为增量更新字段
input {
jdbc {
jdbc_driver_library => "D:\ELK\logstash-8.8.2-local-test\lib\mysql-connector-j-8.0.33.jar"
jdbc_driver_class => "com.mysql.cj.jdbc.Driver"
jdbc_connection_string => "jdbc:mysql://localhost:3306/jpress_dev"
jdbc_user => root
jdbc_password => "123456"
jdbc_paging_enabled => true
use_column_value => true
tracking_column => "created"
tracking_column_type => "timestamp"
schedule => "*/5 * * * * *"
statement => "SELECT * FROM utm WHERE created > :sql_last_value and created < now() ORDER BY created ASC"
}
}
output {
stdout { }
elasticsearch {
index => "jpress_dev"
document_id=> "%{id}"
hosts => ["http://localhost:9200"]
user => "elastic"
password => "123456"
}
}以主键id作为增量更新字段
input {
jdbc {
jdbc_driver_library => "D:\ELK\logstash-8.8.2-local-test\lib\mysql-connector-j-8.0.33.jar"
jdbc_driver_class => "com.mysql.cj.jdbc.Driver"
jdbc_connection_string => "jdbc:mysql://localhost:3306/jpress_dev"
jdbc_user => root
jdbc_password => "123456"
jdbc_paging_enabled => true
use_column_value => true
tracking_column => "id"
tracking_column_type => "numeric"
schedule => "*/5 * * * * *"
statement => "SELECT * FROM utm WHERE id > :sql_last_value ORDER BY id ASC"
}
}
output {
stdout { }
elasticsearch {
index => "jpress_dev"
document_id=> "%{id}"
hosts => ["http://localhost:9200"]
user => "elastic"
password => "123456"
}
}Filebeat
下载:https://www.elastic.co/cn/downloads/past-releases/filebeat-8-8-2
官方文档:https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html
配置多行合并
filebeat.inputs 的类型 type 为 filestream 和 log 时的配置不同,注意 type: pattern 等内容前面多加几个空格,否则会莫名其妙的启动不了。
官方文档:https://www.elastic.co/guide/en/beats/filebeat/current/multiline-examples.html#multiline
日志格式:
2023-06-21 10:11:56.276 [http-nio-7073-exec-12] ERROR org.dog.common.exception.JeecgBootExceptionHandler:57 - 登陆用户的租户信息不存在
cn.hutool.core.exceptions.ValidateException: 登陆用户的租户信息不存在
at cn.hutool.core.lang.Validator.validateTrue(Validator.java:125)
at org.dog.modules.system.controller.LoginController.login(LoginController.java:87)
at org.dog.modules.system.controller.LoginController$$FastClassBySpringCGLIB$$719fe82f.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:749)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88)
at org.dog.common.aspect.DictAspect.doAround(DictAspect.java:50)
at sun.reflect.GeneratedMethodAccessor362.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)配置:
filebeat.inputs:
- type: filestream
id: my-filestream-id
enabled: true
paths:
- D:\Downloads\Edge\*.log
# fields_under_root 设置为true表示自定义的springAppName字段作为顶级字段
# 设置为false时,该字段会作为fields字段组中的子字段
fields_under_root: true
fields:
springAppName: dyke-item-api
parsers:
- multiline:
type: pattern
pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
negate: true
match: after使用 keystore
# 创建 keystore 文件
filebeat.exe keystore create
# 创建 logstash 主机 key
filebeat.exe keystore add LS_HOST
豫公网安备 41010702003051号
全部评论